Digital forensics refers to the processes involved in examining data from harddrives, volatility memory (RAM), network captures, and a wide range of digital devices for artifacts that remain after specific actions occurred on a system.
When faced with insider threats like employee misconduct or other forms of security breaches such as those committed by an external threat, organizations rely on digital forensics experts to determine the extent of the damage and losses.
Similarly, after being targeted by advanced attackers looking to steal intellectual property, classified information, and other highly sensitive materials, the digital forensics and incident response processes are necessary to determine how attackers gained initial access, what systems and resources were compromised during the attack, and what data was moved outside of the company’s control.
“Without having a trained and skilled workforce capable of handling such threats, organizations and governments will be fighting a hopeless battle and will lose enormous amounts of money, IP, and state secrets along the way,” said Andrew Case (@attrc), senior digital forensics, incident response, and reverse engineering trainer at The Hacker Academy (@HackerAcademy), an online ethical hacker training program established in 2010 and designed by pentesters to help educate young security pros with hands-on training.
Case is a GIAC-certified digital forensics investigator who has conducted numerous large scale investigations, and his experience includes conducting penetration tests, source code audits, and binary analysis for large organizations.
Case is the co-developer of the Registry Decoder, a forensics application funded by the National Institute of Justice, a developer on the open-source Volatility memory analysis project, and has delivered trainings in the fields of digital forensics and incident response.
Case’s primary research focus is in physical memory analysis, and he has published a number of peer-reviewed papers in the field and has presented his research at numerous conferences including Black Hat, RSA, SOURCE, BSides, OMFW, GFirst, and DFRWS.
“Forensics is a very interesting field, as it must keep up with new technology, advances in malware and attacker techniques, as well as the explosion in the size and amount of data electronically stored by organizations,” Case said. “Together, these pose a range of challenges that require new research and development to be performed in order to give forensics investigators a chance of performing successful investigations.”
Case says that forensics also has a very positive real-world impact, as these investigations uncover evidence needed to prosecute criminals, prevent repeat attacks from happening in the future, and provide much needed analysis of threats that can be used by the entire information security community.
Registry Forensics Master Class
Registry forensics is one of the most essential skills a forensics investigator must have, according to Case. Operating systems like Microsoft Windows keep a wealth of information about the state and past activity on a computer within the registry.
“Examples of such information include previous program execution, application installation, removable device activity, application persistence mechanisms, network share interactions, and much more,” Case said. “So we developed the registry forensics master class in order to provide a deeply focused course that explores all of the artifacts stored within the registry both on-disk and in-memory.
Students learn how to acquire registry hives from Windows systems, analyze the contained artifacts using a number of techniques, and learn how to understand what the artifacts mean in context of an investigation.
“They also learn how to perform custom analysis through scripting popular registry forensics tools,”Case said. “By the end of the course, students are able to immediately incorporate the skills learned into real-world forensics investigations, incident response handling, and malware analysis.”
Digital Forensics and Incident Response
For the last two summers, Case and his colleague Jamie Levy have taught a course titled “Digital Forensics & Incident Response” at the BlackHat Conference in Las Vegas, with a focus on disk and memory forensics in Windows systems.
“We take the student from very low level details of forensics, such as file system structures and on-disk layouts of certain file types, through high-level analysis techniques such as baselining and timelining,” Case explained. “Along the way we cover every major Windows forensics artifacts along with how to acquire, analyze, and incorporate analysis of the artifact into investigations.”
This class has been a huge success Case said, with both BlackHat sessions achieving maximum attendance, and the success of these previous offerings has led to the classes’ inclusion at the training-only BlackHat Seattle event in December.
“The students of this class will be receiving very cutting-edge training as we have incorporated a number of new artifacts into the class that only appear on Windows 8 systems and that are just being understood by the community,” Case said.
If you are in the neighborhood, you should definitely check it out.
- Tales From the Crypto: Case of the Malicious IT Contractor
- Joseph Sokoly on The Hacker Academy
- Philip Polstra Discusses Digital Forensics
- Scot Terban – AKA Krypt3ia – on Attribution Shmatribution
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock